A native application on a client computing device enables secure user authentication via an identity provider (idp) for accessing services of a web service provider. The native application forwards a redirect request generated by a main gateway of the service provider and including an idp uniform resource locator (url) to a system browser of the client computing device. The redirect request directs the system browser to a broker gateway of the service provider that registers an authentication response handler and redirects the system browser to the idp url to enable a user of the native client computing device to authenticate. After the broker gateway receives an idp authentication response from the idp following authentication by the user, the broker gateway provides the idp authentication response to the native application for providing back to the main gateway. The main gateway finally processes the authentication response to complete the authentication request.
|
1. A method comprising:
requesting, by a computing device via a native application running on the computing device, access to a service from a main gateway of a service provider associated with the native application;
receiving, at the computing device via the native application, a redirect request from the main gateway including an identity provider (idp) Uniform Resource Locator (url) directed to a network address of an idp;
providing, by the computing device via a web browser of the computing device, the idp url to a broker gateway of the service provider using the redirect request, the broker gateway configured to redirect the web browser to the idp url;
requesting, by the web browser, authentication of a user of the computing device by the idp, the broker gateway configured to receive an idp authentication response generated by the idp based on the authentication and partition the idp response into a plurality of data chunks, each data chunk less than a threshold size selected based on a browser url size limit;
sequentially receiving and assembling, by an authentication server instantiated by the native application, the plurality of data chunks from the broker gateway to produce a copy of the idp response; and
providing, by the native application, the copy of the idp response to the main gateway, the main gateway configured to provide the native application with access to the service.
12. A non-transitory computer-readable storage medium storing instructions that, when executed by a processor, cause the processor to perform operations comprising:
requesting, by a computing device via a native application running on the computing device, access to a service from a main gateway of a service provider associated with the native application;
receiving, at the computing device via the native application, a redirect request from the main gateway including an identity provider (idp) Uniform Resource Locator (url) directed to a network address of an idp;
providing, by the computing device via a web browser of the computing device, the idp url to a broker gateway of the service provider using the redirect request, the broker gateway configured to redirect the web browser to the idp url;
requesting, by the web browser, authentication of a user of the computing device by the idp, the broker gateway configured to receive an idp authentication response generated by the idp based on the authentication and partition the idp response into a plurality of data chunks, each data chunk less than a threshold size selected based on a browser url size limit;
sequentially receiving and assembling, by an authentication server instantiated by the native application, the plurality of data chunks from the broker gateway to produce a copy of the idp response; and
providing, by the native application, the copy of the idp response to the main gateway, the main gateway configured to provide the native application with access to the service.
2. The method of
receiving, by the computing device via web browser, instructions from the broker gateway redirecting the web browser to a url for a current data chunk of the plurality of data chunks;
after redirecting to the authentication server via the url for the current data chunk, accessing, by the authentication server, the current data chunk included in the url for the current data chunk;
responsive to determining a number of received data chunks is below a total data chunks in the plurality of data chunks, requesting instructions from the broker gateway for accessing a next data chunk of the plurality of data chunks from the broker gateway; and
responsive to determining the number of received data chunks matches the total number of data chunks, assembling the plurality of data chunks to produce the copy of the idp response.
3. The method of
4. The method of
providing, by the authentication server, additional instructions to the web browser to redirect to the broker gateway, the additional instructions including the non-redirect status response code and additional computer code that instructs the web browser to redirect to the web server request the next data chunk.
5. The method of
responsive to the web browser redirecting to the authentication server via the current url for the current data chunk using the computer code, transitioning, by the computing device, from a display of a first interface of the web browser for the broker gateway to a second interface of the web browser for the authentication server; and
responsive to requesting instructions from the broker gateway for accessing the next data chunk, receiving instructions from the broker gateway redirecting the web browser to a url for the next data chunk, the instructions redirecting to the url for the next data chunk including a redirect status code prompting the web browser to perform the standard browser redirect without the computing device transitioning to the second interface of the web browser.
6. The method of
after initializing the authentication server within the native application, modifying the redirect request by:
modifying the idp url to be directed to the authentication server; and
adding a port identifier of the authentication server to the redirect request; and
providing the modified idp url and the port identifier to the broker gateway via the modified redirect request, wherein the broker gateway registers a response handler using the port identifier configured to provide the plurality of data chunks to the authentication server.
7. The method of
requesting, by the native application, an idp authentication request from the main gateway;
responsive to receiving the idp authentication request from the main gateway, caching, by the mobile application, the idp authentication request on the authentication server;
responsive to the broker gateway redirecting the web browser to the authentication server using the modified idp url, providing, by the authentication server, the cached idp authentication request to the web browser; and
providing, by the web browser, the cached idp authentication request to the idp, the idp configured to provide the idp response to the response handler of the broker gateway responsive to authenticating a user of the computing device based on the authentication request.
8. The method of
responsive to the broker gateway redirecting the web browser to the authentication server using the modified idp url, requesting, by the authentication server, an idp authentication request from the main gateway; and
requesting, by the native application, an idp authentication request from the main gateway;
responsive to receiving the idp authentication request from the main gateway, providing, by the authentication server, the idp authentication request to the web browser; and
providing, by the web browser, the idp authentication request to the idp, the idp configured to provide the idp response to the response handler of the broker gateway responsive to authenticating a user of computing device based on the authentication request.
9. The method of
identifying, by the native application, an indicator in the redirect request that the idp uses SAML for authentication; and
responsive to identifying the indicator, performing the modifying of the idp url to be directed to the authentication server.
10. The method of
providing the idp identifier to the broker gateway, wherein the broker gateway is further configured to validate the idp url using the idp identifier.
11. The method of
13. The non-transitory computer-readable storage medium of
receiving, by the computing device via web browser, instructions from the broker gateway redirecting the web browser to a url for a current data chunk of the plurality of data chunks;
after redirecting to the authentication server via the url for the current data chunk, accessing, by the authentication server, the current data chunk included in the url for the current data chunk;
responsive to determining a number of received data chunks is below a total data chunks in the plurality of data chunks, requesting instructions from the broker gateway for accessing a next data chunk of the plurality of data chunks from the broker gateway; and
responsive to determining the number of received data chunks matches the total number of data chunks, assembling the plurality of data chunks to produce the copy of the idp response.
14. The non-transitory computer-readable storage medium of
15. The non-transitory computer-readable storage medium of
providing, by the authentication server, additional instructions to the web browser to redirect to the broker gateway, the additional instructions including the non-redirect status response code and additional computer code that instructs the web browser to redirect to the web server request the next data chunk.
16. The non-transitory computer-readable storage medium of
responsive to the web browser redirecting to the authentication server via the current url for the current data chunk using the computer code, transitioning, by the computing device, from a display of a first interface of the web browser for the broker gateway to a second interface of the web browser for the authentication server; and
responsive to requesting instructions from the broker gateway for accessing the next data chunk, receiving instructions from the broker gateway redirecting the web browser to a url for the next data chunk, the instructions redirecting to the url for the next data chunk including a redirect status code prompting the web browser to perform the standard browser redirect without the computing device transitioning to the second interface of the web browser.
17. The non-transitory computer-readable storage medium of
after initializing the authentication server within the native application, modifying the redirect request by:
modifying the idp url to be directed to the authentication server; and
adding a port identifier of the authentication server to the redirect request; and
providing the modified idp url and the port identifier to the broker gateway via the modified redirect request, wherein the broker gateway registers a response handler using the port identifier configured to provide the plurality of data chunks to the authentication server.
18. The non-transitory computer-readable storage medium of
requesting, by the native application, an idp authentication request from the main gateway;
responsive to receiving the idp authentication request from the main gateway, caching, by the mobile application, the idp authentication request on the authentication server;
responsive to the broker gateway redirecting the web browser to the authentication server using the modified idp url, providing, by the authentication server, the cached idp authentication request to the web browser; and
providing, by the web browser, the cached idp authentication request to the idp, the idp configured to provide the idp response to the response handler of the broker gateway responsive to authenticating a user of the computing device based on the authentication request.
19. The non-transitory computer-readable storage medium of
responsive to the broker gateway redirecting the web browser to the authentication server using the modified idp url, requesting, by the authentication server, an idp authentication request from the main gateway; and
requesting, by the native application, an idp authentication request from the main gateway;
responsive to receiving the idp authentication request from the main gateway, providing, by the authentication server, the idp authentication request to the web browser; and
providing, by the web browser, the idp authentication request to the idp, the idp configured to provide the idp response to the response handler of the broker gateway responsive to authenticating a user of computing device based on the authentication request.
20. The non-transitory computer-readable storage medium of
identifying, by the native application, an indicator in the redirect request that the idp uses SAML for authentication; and
responsive to identifying the indicator, performing the modifying of the idp url to be directed to the authentication server.
|
This application claims the benefit of and priority to U.S. Provisional Application No. 63/131,766, filed Dec. 29, 2020, which is incorporated by reference herein in its entirety.
This disclosure relates generally to user authentication, and in particular to user authentication on native applications via identity providers.
Native applications, such as mobile applications, can be developed to include, or “wrap,” an embedded web browser (i.e., a “web view”) for interfacing with web service providers, such as a mobile application corresponding to a particular web application. Developing native applications that use web views enables application developers to save time and resources by reusing existing functionality of a web service provider while also gaining access to native functionality. For example, a native application on a mobile device can include a web view that accesses existing features of a web application and also accesses native features of the mobile device, e.g., scanning bar codes using a camera of the mobile device.
Furthermore, many web service providers provide greater flexibility for users by enabling user authentication via multiple possible third-party identity providers (IdPs), such as Facebook, Google, Salesforce, etc. By interfacing with such web service providers via a web view of a native application, application developers can enable users of the native application to authenticate through the same IdPs without development of custom native software to facilitate authentication with each IdP.
However, IdP authentication with a web service via a web view of a native application presents various security issues. For instance, native applications that authenticate users with web services via web views can access authentication data passed between a user and an IdP that would normally not be accessible to a web service provider, e.g., when authenticating with the web service provider via a standalone web browser. Furthermore, to address these security issues, some IdPs prevent any authentication via web views. Existing systems do not provide a solution to overcome these limitations of web service provider authentication via native application web views in an IdP protocol-agnostic manner.
A native application on a client computing device enables secure user authentication via an identity provider (IdP) for accessing services of a web service provider through one or more gateways. The native application may include an embedded web browser (i.e., a “web view) that interfaces with the gateways of a web service provider corresponding to the native application. For example, the native application may be a native version of a web application for a particular client computing environment, such as a mobile application native to a type of mobile device. In order to facilitate secure user authentication through a main gateway of the web service provider via one or more IdPs, the native application intercepts a redirect request received from the main gateway including an IdP uniform resource locator (URL) and forwards the redirect request to a system web browser of the computing device (e.g., Safari™, Google Chrome™, Microsoft Edge™, etc.). The system web browser facilitates authentication of a user of the computing device through the IdP using the IdP URL. After the service provider receives an IdP authentication response from the IdP at an authentication response handler, the service provider provides the IdP authentication response to the native application for providing the response back to the main gateway. The main gateway confirms the user was successfully authenticated using the IdP authentication response, and provides the native application access to available services.
In some embodiments, network communications with the web service provider are distributed among multiple gateways by a load balancer. In these embodiments, a gateway that the system web browser establishes a communication session with (referred to herein as a “broker gateway”) may be different than the gateway that the native application establishes a communication session with (referred to herein as a “main gateway”). If the broker gateway is not the main gateway it cannot process the IdP authentication response received from the IdP to complete the pending authentication request because the pending authentication request originated at the main gateway. To address this, the native application obtains the IdP authentication response from the broker gateway and forwards the IdP authentication response back to the main gateway. In particular, the native application embeds a local server (referred to herein as an “authentication server”) to communicate with the broker gateway through the system web browser, such by using HTTP redirect requests.
In some embodiments, the IdP authentication request or authentication response may be provided by an IdP via an HTTP POST request, such as when the authentication response or authentication request includes a large amount of data. For example, if the IdP uses security assertion markup language (SAML) authentication protocols, the IdP may provide a SAML authentication response including an extensible markup language (XML) document via a POST request. In this case, because communication with the authentication server may not be secure (e.g., the authentication server does not use a secure socket layer (SSL)), the system web browser may prompt a user to allow the web server to redirect the POST request to the authentication server. In order to prevent such a prompt from the system web browser disrupting or otherwise negatively impacting the user experience, the broker gateway partitions the authentication response into a set of smaller data chunks and provides each data chunk via a separate HTML GET request.
The features and advantages described in this summary and the following detailed description are not all-inclusive. Many additional features and advantages will be apparent to one of ordinary skill in the art in view of the drawings, specification, and claims hereof.
The figures depict an embodiment of the invention for purposes of illustration only. One skilled in the art will readily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.
Gateway System Environment
The client device 110 is a computing device including a native application that communicates with the service provider 120 via the network 140. For instance, the client device 110 can be a desktop computer, a laptop computer, a mobile device (e.g., a mobile phone, a tablet, etc.), or any other suitable device. In some embodiments, the native application wraps an embedded web browser (i.e., a “web view”) for interfacing with services of the service provider 120, such as interfacing with one or more web applications of the service provider 120. The client device 110 also includes one or more system web browsers, such as Safari™, Google Chrome™, Microsoft Edge™, etc. As will be described in greater detail below with reference to
The service provider system 120 provides web services to client computing devices (e.g., the computing device 110) via the network 140. The service provider system 120 may provide various web services, such as one or more web applications or cloud computing services. In some embodiments, the service provider system 120 provides web services for monitoring and interacting with local or remote industrial systems and processes. In the embodiment shown in
The gateways 128 provide one or more interfaces for client computing devices to access services of the web service provider 120. In some embodiments, the gateways 128 are individual web servers or server clusters corresponding to a particular web application. The load balancers 124 directs network communications from the client computing devices to different gateways 128, e.g., to manage network load. After a communication endpoint of a client computing device, such as the native application or a system browser of the client device 110, is directed to a particular gateway 128, the gateway 128 may establish a communication session with the communication endpoint (e.g., a hyper-text transfer protocol (HTTP) session). As used herein, a first gateway 128 that communicates directly with the native application of the client device 110 is referred to as a “main gateway,” and a second gateway 128 that communicates directly with the system browser of the client device 110 is referred to as a “broker gateway.” Although the main gateway and the broker gateway are distinguished herein, in some cases the main gateway and the broker gateway may be the same gateway, such as if the gateways 128 are not managed by a load balancer 124 or if the native application and the system browser are directed to the same gateway 128 by a load balancer 124. In these embodiments, a gateway that the load balancer directs the system web browser to (referred to herein as a “broker gateway”) may be different than the gateway that the load balancer directs the native application to (referred to herein as a “main gateway”). The gateways 128 further enable users of the client computing devices to authenticate with the service provider 120 through one or more third-party IdPs (e.g., the IdP 130). As will be described in greater detail below with reference to
In the same or different embodiments, the IdP system 130 is a third-party provider of authentication services. Although the IdP system 130 is depicted separately from the service provider system 120, in some embodiments the IdP system 130 is a component of the service provider system 120. In other embodiments, the IdP system 130 is a third-party provider of authentication services. For example, the IdP system 130 can be a software application or service with an established user-base, such as Facebook™, Google™, or Salesforce™. In embodiments described herein, the IdP system 130 authenticates authentication requests for users of client computing devices of the service provider system 120. After authenticating the authentication requests, the IdP system 130 provides authentication responses that describe results of the authentication, e.g., whether or not a user was successfully authenticated. For example, the IdP 130 may provide authentication responses directly to a gateway 128 of the service provider system 120 via an authentication callback handler. The IdP system 130 may use one or more authentication communication protocols, such as an OpenID Connect (OIDC) protocol or a security assertion markup language (SAML) protocol. If the IdP system 130 uses SAML 2.0 for authentication, communication between the IdP system 130 and the server provider system 120 may be facilitated by one or more SAML 2.0 HTTP bindings, such as an HTTP Redirect binding, or an HTTP POST binding.
The network 140 may comprise any combination of local area or wide area networks, using wired and/or wireless communication systems. In one embodiment, the network 140 uses standard communications technologies and/or protocols. For example, the network 140 includes communication links using technologies such as Ethernet, 802.11 (WiFi), worldwide interoperability for microwave access (WiMAX), cellular networks (e.g., 3G, 4G, 5G), code division multiple access (CDMA), digital subscriber line (DSL), Bluetooth, Near Field Communication (NFC), Universal Serial Bus (USB), or any combination of communication protocols (e.g., TCP/IP, HTTP, S1v1TP, FTP), encodings or formats (e.g., HTML, JSON, XML), or protection schemes (e.g., VPN, secure HTTP, SSL). In some embodiments, all or some of the communication links of the network 140 may be encrypted using any suitable technique or techniques.
The native application 210 is a software application configured for execution by a native operating system of the client device 110. For instance, the native application 210 may be an iOS application, an Android application, a Microsoft Windows application, a macOS application, or any other suitable application configured for a particular operating system environment. In the embodiment shown in
The web view module 220 manages a web view wrapped by the native application 210. For example, the web view module 220 may be an “Android WebView” or an “iOS WKWebView.” Using the wrapped web view, the web view module 220 provides an interface for using services of the service provider system 120. Further, in order to the access services of the service provider system 120, the web view module 220 requests authentication of the user of the client device 110 through a main gateway of the service provider system 120. For example, the web view module 220 may access or display an interface of the service provider system 120 for a user to select from one or more authentication processes.
If the web view module 220 requests authentication by the IdP system 130, the web view module 220 receives a redirect request from the main gateway (e.g., an HTTP 302 redirect). The redirect request is configured to direct a web browser to a redirect uniform resource locator (URL) directed to a broker gateway of the service provider system 120, and additionally includes an IdP URL identifying an interface of the IdP system 130. For example, the IdP URL may be a query parameter of the redirect URL. Additionally, the redirect request may include an identifier of the IdP system 130, a state key identifying the particular authentication session between the native application 210 and the main gateway, or some combination thereof. Although the term URL is used herein, one skilled in the art will appreciate that various different uniform resource identifiers (URIs) may be used where appropriate. Before forwarding the redirect request to the system browser 240, the web view module 220 modifies the redirect request. In particular, the web view module 220 modifies the redirect request to include a port of the authentication server 230. For instance, the authentication server 230 may add the authentication server 230 port a query parameter of the redirect URL. The web view module 220 may further modify the IdP URL in the redirect request to be directed to the authentication server 230 in order for the system browser 240 to retrieve an IdP authentication request from the authentication server 230, as described in further detail below with reference to the authentication server 230. For instance, by replacing the scheme, hostname, and port of the IdP URL with that of the authentication server 230. After modifying the redirect request, the web view module 220 forwards the modified redirect request to the system browser 240, which facilitates secure authentication of the user by the IdP system 130. In particular, the system browser 240 may facilitate authentication of the user by the IdP system 130 using the broker gateway directed to by the redirect URL, as described in greater detail below with reference to
The authentication server 230 is an embedded server of the native application 210. For instance, the authentication server 230 may be an embedded HTTP server. The authentication server 230 provides a channel for the system browser 240 to communicate with the native application 210. In some embodiments, the secure authentication process of the native application 210 is configured to be agnostic relative to a particular computing environment of the native application 210. In this case, the authentication server 230 may open a communication channel on a local network of the client device 110 through which the system browser 240 can communicate with the authentication server 230, e.g., using a localhost IP address. The authentication server 230 may further open the communication channel on the local network for each authentication attempt using an ephemeral port. Among other advantages, using a local network to communicate with the system browser 240 enables the secure authentication process of the native application 210 to be agnostic of any a particular computing environment of the native application 210. For instance, the user of the client device does not need to install trusted certificates for the client device 110 that enable authentication server 230 to establish a trusted communication channel with the system browser 240 (e.g., using transport layer security (TLS) or secure sockets layer (SSL) protocols).
As will be described in greater detail below with reference to
Although the authentication server 230 is depicted in
In some embodiments, the native application 210 obtains an IdP authentication request from the main gateway of the service provider separately from the redirect request. In particular, if the relevant IdP uses an authentication protocol wherein an authentication request is configured to use an HTTP POST request (e.g., the SAML POST binding), the main gateway may generate and provide the IdP authentication request to the web view module 220 separately from the redirect request. In this case, in order to make the IdP authentication request available to the broker gateway, the main gateway stores the IdP authentication request in association with an authentication session for the native application 210 and provides the native application with an identifier pointing to the authentication request stored on the main gateway. The native application can then use the identifier to obtain the IdP authentication request from the main gateway at an appropriate time in the authentication process to provide the authentication request to the broker gateway through the authentication server 230. For instance, the authentication server 230 may obtain the IdP authentication request from the main gateway through the native application 210 after receiving a request from the broker gateway to authenticate using the relevant identity provider, as described in more detail below with reference to
Furthermore, in these embodiments the modification by the web view module 220 of the redirect request includes modifying the IdP URL to be directed to the authentication server 230 in order for the redirect request to be retrieved from the authentication server 230 by the system browser 240, such as by replacing the scheme, hostname, and port of the IdP URL with that of the authentication server 230. Various embodiments for facilitating IdP authentication using an IdP authentication request obtained from the main gateway of the service provider system 120 are described in greater detail below with reference to
The system browser 240 is a standalone web browser application. The system browser 240 facilitates communication between the native application 210, a broker gateway of the service provider system 120, and the IdP system 130 for authenticating a user of the client device 110 with the IdP system 130. Among other advantages, using the system browser 240 for user authentication ensures compliance with security requirements of certain IdPs that prevent authentication via web views wrapped by a native application.
The main gateway authentication module 250 communicates directly with the native application 210 to facilitate user authentication for accessing services of the service provider system 120. In particular, the main gateway authentication module 250 receives requests from the native application 210 to authenticate a user of the client device 110. As described above with reference to
The main gateway authentication module 250 further provides the redirect request to the native application 210 to use for authenticating the user through the IdP system 130 via the secure browser 240. After the user has authenticated through the system browser 240, the main gateway authentication module 250 receives an IdP authentication response generated by the IdP system 130. The main gateway authentication module 250 processes the received IdP authentication response to determine whether the user was successfully authenticated. If successfully authenticated, the main gateway authentication module 250 communicates with one or more other components of the gateway 128 to provide the native application 210 access to services of the service provider system 120, e.g., via the web service module 270.
As described above with reference to
The broker gateway authentication module 260 communicates directly with the system browser 240 to facilitate user authentication for accessing services of the service provider system 120. As described above with reference to the web view module 220, the broker gateway authentication module 260 receives a redirect request from the system browser 240 that has been modified by the native application 210. The broker gateway authentication module 260 processes the modified redirect request to register an authentication response handler for receiving the IdP authentication response from the IdP system 130 and forwarding the IdP authentication response to the authentication server 230 based on the authentication server 230 port. After registering the authentication response handler, the broker gateway authentication module 260 redirects the system browser 240 to the modified IdP URL included in the modified redirect request and directed to the authentication server 230. After the authentication server 230 and the system browser 240 facilitate user authentication through the IdP system 130, the broker gateway authentication module 260 receives the IdP authentication response from the IdP system 130 via the registered authentication response handler. The registered authentication response handler of the broker gateway authentication module 260 forwards the authentication response to the authentication server 230 via a redirect through the system browser 240.
In some embodiments where the IdP authentication response is intended to be communicated via a POST request, the broker gateway authentication module 260 partitions the IdP authentication response into a set of data chunks for providing individually to the authentication server 230. In particular, the broker gateway authentication module 260 may embed each data chunk into a URL of a GET request for providing to the authentication server 230. In this case, the size of each data chunk may be less than a threshold size selected according to a URL size limit of one or more web browsers (e.g., the system browser 240). In particular, the threshold size limit may be selected to ensure that the size of the GET request URLs including the data chunks do not exceed the URL size limits of the one or more web browsers. As an example, the threshold size limit may be 2048 eight-byte characters. The broker gateway authentication module 260 may further provide a total number of data chunks in the set of data chunks to the authentication server 230 so that the authentication server 230 knows when it has received all of the data chunks representing an IdP authentication response. For example, the total number of data chunks may be included as a query parameter of the GET request URL for the first data chunk transmitted. Additionally, or alternatively, the GET request URLs for the data chunks may include information identifying the authentication session between the native application 210 and the main gateway, such as a state key included in the redirect request received from the main gateway.
In an exemplary embodiment, the broker gateway authentication module 260 first encodes the IdP authentication response as UTF-8 bytes and then base64-url encodes the bytes representing the IdP authentication response into a URL-safe string. The broker gateway authentication module 260 determines a base length of a GET request URL without an embedded data chunk, and subtracts the base length from the URL size threshold to determine a size of a data chunk for the GET request. The broker gateway authentication module 260 extracts a portion of the base64-url string representing the IdP authentication response with the data chunk size and adds the portion to the GET request URL. The broker gateway authentication module 260 may further add a state key for the authentication session as a key for the GET request URL.
In some embodiments, some or all of the redirects through the system browser 240 by the broker gateway authentication module 260 and the authentication server 230 are performed using custom redirect instructions (e.g., computer code) rather than a standard browser redirect (e.g., an HTTP 302 redirect). In particular, some web browsers assume an infinite redirect has been entered if a threshold number of standard browser redirects occur in a certain time frame and responsively display an error message. In order to avoid an error message being displayed, the broker gateway authentication module 260 may provide each data chunk to the authentication server 230 with a non-redirect status code, such as a 200 OK HTTP status code, and custom instructions that instructs the system browser 240 to redirect to the authentication server 230. For example, the custom instructions may be included in an HTML document containing JavaScript code. Similarly, requests by the authentication server 230 for additional data chunks from the broker gateway authentication module 260 may be provided with a non-redirect status code and an HTML document that instructs the system browser 240 to redirect to the broker gateway.
In some embodiments, the custom redirect instructions may result in the system browser 240 alternating between displaying an interface associated with the authentication server 230 and an interface associated with the broker gateway authentication module 260. In contrast, the standard browser redirect may be processed in the background by the system browser 240 without altering what is displayed by the client device 110. To reduce alteration in the visual display during the transmitting of the set of data chunks, the broker gateway authentication module 260 and the authentication server 230 may alternate between using standard browser redirects and custom instruction redirects. For instance, a custom instruction redirect may be used every N number of redirects, with standard browser redirects used otherwise.
In some embodiments, the broker gateway authentication module 260 validates the IdP URL included in the redirect request by generating a temporary IdP URL to compare to the received IdP URL. For instance, the gateway 128 may generate IdP URLs using internal identifiers of IdPs, e.g., an identifier of the IdP system 130 included in the redirect request. In this case, the broker gateway authentication module 260 generates the temporary IdP URL using the IdP identifier included in the redirect request. The broker gateway authentication module 260 compares the temporary and received IdP URLs to confirm whether the URLs have matching hosts.
For a given authentication attempt by a client device a particular gateway 128 may act as only one of either the main gateway (e.g., via the main gateway authentication module 250) or the broker gateway (e.g., via the broker gateway authentication module 260) for the authentication attempt. Alternatively, the gateway 128 may act as both the main gateway and the broker gateway for a particular authentication attempt by a client device.
The web service module 270 provides services of the service provider 120 to client devices that have been successfully authenticated. For instance, the web service module 270 may provide access to one or more web applications of the to the native application 210. The web service module 270 may communicate with other components of the gateway 128 to determine whether a client device has been authentication, such as the main gateway authentication module 250.
The client data store 280 stores data for clients of the service provider system 120, such as the client device 110. Client data may include various information including identifiers (e.g., IP address, MAC address, Bluetooth address, etc.), historical logs, accessibility settings, generated reports, current or historical geolocation(s) according to established communication sessions, etc. Additionally, or alternatively, the client data store 280 may store information corresponding to an authentication session for a client, such as any information included in an IdP authentication response, e.g., a unique user ID in the IdP system 130, a username in the IdP system 130, a first name in the IdP system 130, a last name in the IdP system 130, an email address in the IdP system 130, a set of roles in the IdP system 130, a set of attributes of the user, and any other suitable information corresponding to the user. In some embodiments, some services of the service provider system 120 are only designated for access by permitted clients.
Processes for SAML Identity Provider Authentication
Based on the request to access a service, the main gateway 302 generates 308 a redirect request including an IdP URL. For instance, the redirect request may include the IdP URL as a query parameter of a redirect URL. The redirect request has a redirect URL that directs back to one or more gateways of the service provider system 120 (e.g., to the broker gateway authentication module 260 of a particular gateway 128). As described above with reference to
After generating 308 the redirect request, the main gateway 302 transmits 310 the redirect request to the native application 210. The native application 210 modifies the transmitted redirect request and forwards 312 the modified redirect request to the system browser 240. In particular, the native application 210 modifies the IdP URL to be directed to the authentication sever 230 and to add a port of the authentication server 230 to the redirect request. The native application 210 may determine that the IdP URL should be modified to be directed to the authentication server 230 responsive to identifying an indicator in the redirect request that an HTTP POST request will be used by the IdP system 130.
The system browser 240 uses 314 the modified redirect request to redirect to a broker gateway 304. For instance, the load balancer 124 may establish a communication session between the system browser 240 and the broker gateway 304 based on the redirect request. After the redirect to the broker gateway, the broker gateway 304 registers 316 an authentication response handler using the modified redirect request. In particular, the authentication response handler has access to the port of the authentication server 230 included in the modified redirect request. The authentication response handler may additionally have access to other information included in the redirect request, such as a state key for the authentication session or an identifier of the IdP system 130.
After registering the response handler, the broker gateway 304 redirects 318 the system browser 240 to the modified IdP URL directed to the authentication server 230. The authentication server 230 intercepts 320 the redirect to the modified IdP URL redirect and requests 322 a SAML authentication request for the IdP system 130 from the main gateway 302. For instance, the authentication server 230 may request the SAML authentication request from the main gateway 302 using session information stored by the native application 210 for a communication session between the native application 210 and the main gateway 302. Responsive to the request 322, the main gateway 302 generates 324 the SAML authentication request and transmits 326 the SAML authentication request to the authentication server 230. For example, the main gateway 502 may transmit the SAML authentication request using the SAML POST binding. Having obtained the SAML authentication request, the authentication server 230 redirects 328 the system browser 240 to the IdP URL through the system browser 240 using the SAML authentication request.
After the system browser 240 redirects to the IdP URL, the system browser 240 facilitates 330 authentication of the user through the IdP system 130. For example, the system browser 240 may display an authentication interface of the IdP system 130 corresponding to the IdP URL on a display of the client device 110. In this case, the user of the native application 210 may submit authentication credentials to the IdP system 130 through the authentication interface, such as a user identifier, password, authentication factor, or any other suitable authentication credential.
After the user authenticates with the IdP system 130, the broker gateway 304 receives 332 a SAML authentication POST response from the IdP system 130 via the registered authentication response handler 316. In order to forward the authentication response 332 to the authentication server 230, the broker gateway 304 partitions 334 the SAML authentication POST response into a set of data chunks based on a URL size limit of the system browser 240. The broker gateway transmits 336 a current data chunk to the authentication server 230 via a redirect through the system browser 240. After receiving the current data chunk, the authentication server 230 processes information included in the browser redirect to determine whether all of the set of data chunks have been received. If all of the data chunks have not been received, the authentication server 230 requests 338 a next data chunk from the broker gateway 304 via another browser redirect through the system browser 240. The broker gateway 304 and the authentication server 230 repeat 340 steps 336 and 338 until all data chunks of the set of data chunks have been transmitted to the authentication server 230.
After receiving all data chunks of the set of data chunks, the authentication server 230 reassembles 342 the SAML authentication response from the set of data chunks. The native application 210 transmits 344 the reassembled SAML authentication response to the main gateway 302. For example, the native application 210 may provide the reassembled SAML authentication response to an authentication callback registered by the main gateway 302. Finally, the main gateway 302 processes 346 the SAML authentication response in order to provide the native application 210 access to the service of the service provider 120 if the SAML authentication response indicates the user was successfully authenticated.
In some alternative embodiments to the one depicted in
Method of Secure IDP Authentication for Native Application
The process 600 includes the computing device requesting 610, via a native application executing on the computing device, access to a service from a main gateway of a service provider associated with the native application. For instance, the web view module 220 of the native application 210 may request access a service of the service provider system 120.
The process 600 further includes the computing device receiving 620, via the native application, a redirect request from the main gateway including an IdP URL directed to a network address of an IdP. For example, the user of the client device 110 may select authentication via the IdP system 130 using a web view of the native application 210. As described above with reference to
The process 600 further includes the computing device providing 630, via a web browser of the computing device, the IdP URL to a broker gateway of the service provider using the redirect request. For instance, as described above with reference to
The process 600 further includes the computing device requesting 640, by the web browser, authentication of a user of the computing device by the IdP. For instance, the computing device may display through the web browser an authentication interface of the IdP for receiving authentication credentials of the user. The broker gateway is further configured to receive an IdP authentication response from the IdP based on the authentication of the user and to partition the IdP response into a set of data chunks. Each data chunk of the set of data chunks are less than a threshold size selected based on a browser URL size limit, e.g., of the web browser.
The process 600 further includes the computing device sequentially receiving and assembling 650, by the authentication server, the set of data chunks from the broker gateway to produce a copy of the IdP authentication response. For example, the authentication server and the broker gateway may communicate back and forth via a series of redirect requests through the web browser, as described above with reference to
The process 600 further includes the computing device providing 660, by the native application, the copy of the IdP authentication response to the main gateway. The main gateway is configured to process the copy of the authentication response and, if the copy of the authentication response indicates the user was successfully authenticated, provide the native application with access to the main service.
The machine may be a server computer, a client computer, a personal computer (PC), a tablet PC, a set-top box (STB), a smartphone, an internet of things (IoT) appliance, a network router, switch or bridge, or any machine capable of executing instructions 724 (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute instructions 724 to perform any one or more of the methodologies discussed herein.
The example computer system 700 includes one or more processing units (generally processor 702). The processor 702 is, for example, a central processing unit (CPU), a graphics processing unit (GPU), a digital signal processor (DSP), a controller, a state machine, one or more application specific integrated circuits (ASICs), one or more radio-frequency integrated circuits (RFICs), or any combination of these. The computer system 700 also includes a main memory 704. The computer system may include a storage unit 716. The processor 702, memory 704, and the storage unit 716 communicate via a bus 708.
In addition, the computer system 700 can include a static memory 706, a graphics display 710 (e.g., to drive a plasma display panel (PDP), a liquid crystal display (LCD), or a projector). The computer system 700 may also include alphanumeric input device 712 (e.g., a keyboard), a cursor control device 714 (e.g., a mouse, a trackball, a joystick, a motion sensor, or other pointing instrument), a signal generation device 718 (e.g., a speaker), and a network interface device 720, which also are configured to communicate via the bus 708. In some embodiments, the computer system 700 may include cell phone or smartphone hardware, such as a camera, motion sensor, accelerometer, scanner (or QR code reader), global positioning system (GPS) functionalities and geolocation abilities, near field communication, etc.
The storage unit 616 includes a machine-readable medium 722 on which is stored instructions 724 (e.g., software) embodying any one or more of the methodologies or functions described herein. For example, the instructions 724 may include instructions for implementing the functionalities of the client device 110 or the service provider system 120. The instructions 724 may also reside, completely or at least partially, within the main memory 704 or within the processor 702 (e.g., within a processor's cache memory) during execution thereof by the computer system 700, the main memory 704 and the processor 702 also constituting machine-readable media. The instructions 724 may be transmitted or received over a network 726 via the network interface device 720.
While machine-readable medium 722 is shown in an example embodiment to be a single medium, the term “machine-readable medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, or associated caches and servers) able to store the instructions 724. The term “machine-readable medium” shall also be taken to include any medium that is capable of storing instructions 724 for execution by the machine and that cause the machine to perform any one or more of the methodologies disclosed herein. The term “machine-readable medium” includes, but not be limited to, data repositories in the form of solid-state memories, optical media, and magnetic media.
The foregoing description of the embodiments has been presented for the purpose of illustration; it is not intended to be exhaustive or to limit the patent rights to the precise forms disclosed. Persons skilled in the relevant art can appreciate that many modifications and variations are possible in light of the above disclosure.
Some portions of above description describe the embodiments in terms of algorithmic processes or operations. These algorithmic descriptions and representations are commonly used by those skilled in the data processing arts to convey the substance of their work effectively to others skilled in the art. These operations, while described functionally, computationally, or logically, are understood to be implemented by computer programs comprising instructions for execution by a processor or equivalent electrical circuits, microcode, or the like. Furthermore, it has also proven convenient at times, to refer to these arrangements of functional operations as modules, without loss of generality.
As used herein, any reference to “one embodiment” or “an embodiment” means that a particular element, feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment.
Some embodiments may be described using the expression “coupled” and “connected” along with their derivatives. It should be understood that these terms are not intended as synonyms for each other. For example, some embodiments may be described using the term “connected” to indicate that two or more elements are in direct physical or electrical contact with each other. In another example, some embodiments may be described using the term “coupled” to indicate that two or more elements are in direct physical or electrical contact. The term “coupled,” however, may also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other. The embodiments are not limited in this context.
As used herein, the terms “comprises,” “comprising,” “includes,” “including,” “has,” “having” or any other variation thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, article, or apparatus that comprises a list of elements is not necessarily limited to only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Further, unless expressly stated to the contrary, “or” refers to an inclusive or and not to an exclusive or. For example, a condition A or B is satisfied by any one of the following: A is true (or present) and B is false (or not present), A is false (or not present) and B is true (or present), and both A and B are true (or present).
In addition, use of the “a” or “an” are employed to describe elements and components of the embodiments. This is done merely for convenience and to give a general sense of the disclosure. This description should be read to include one or at least one and the singular also includes the plural unless it is obvious that it is meant otherwise. Where values are described as “approximate” or “substantially” (or their derivatives), such values should be construed as accurate +/−10% unless another meaning is apparent from the context. From example, “approximately ten” should be understood to mean “in a range from nine to eleven.”
Upon reading this disclosure, those of skill in the art will appreciate still additional alternative structural and functional designs for a system and a process for verifying an account with an on-line service provider corresponds to a genuine business. Thus, while particular embodiments and applications have been illustrated and described, it is to be understood that the described subject matter is not limited to the precise construction and components disclosed herein and that various modifications, changes and variations which will be apparent to those skilled in the art may be made in the arrangement, operation and details of the method and apparatus disclosed. The scope of protection should be limited only by any claims that issue.
Patent | Priority | Assignee | Title |
11734408, | Jul 15 2021 | Citrix Systems, Inc. | Remapping of uniform resource locators for accessing network applications |
Patent | Priority | Assignee | Title |
6704873, | |||
9009848, | Oct 25 2004 | Security First Innovations, LLC | Secure data parser method and system |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
May 18 2021 | ROJAS, MATTHEW | Inductive Automation, LLC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 056307 | /0774 | |
May 18 2021 | ROJAS, MATTHEW | Inductive Automation, LLC | CORRECTIVE ASSIGNMENT TO CORRECT THE REPLACES ENTIRE ASSIGNMENT DOCUMENT TO CORRECT A TYPOGRAPHCIAL ERROR PREVIOUSLY RECORDED AT REEL: 056307 FRAME: 0774 ASSIGNOR S HEREBY CONFIRMS THE ASSIGNMENT | 058107 | /0709 | |
May 19 2021 | Inductive Automation, LLC | (assignment on the face of the patent) | / | |||
May 19 2021 | SPECHT, JOEL | Inductive Automation, LLC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 056307 | /0774 | |
May 19 2021 | SPECHT, JOEL | Inductive Automation, LLC | CORRECTIVE ASSIGNMENT TO CORRECT THE REPLACES ENTIRE ASSIGNMENT DOCUMENT TO CORRECT A TYPOGRAPHCIAL ERROR PREVIOUSLY RECORDED AT REEL: 056307 FRAME: 0774 ASSIGNOR S HEREBY CONFIRMS THE ASSIGNMENT | 058107 | /0709 |
Date | Maintenance Fee Events |
May 19 2021 | BIG: Entity status set to Undiscounted (note the period is included in the code). |
May 26 2021 | SMAL: Entity status set to Small. |
Date | Maintenance Schedule |
Dec 14 2024 | 4 years fee payment window open |
Jun 14 2025 | 6 months grace period start (w surcharge) |
Dec 14 2025 | patent expiry (for year 4) |
Dec 14 2027 | 2 years to revive unintentionally abandoned end. (for year 4) |
Dec 14 2028 | 8 years fee payment window open |
Jun 14 2029 | 6 months grace period start (w surcharge) |
Dec 14 2029 | patent expiry (for year 8) |
Dec 14 2031 | 2 years to revive unintentionally abandoned end. (for year 8) |
Dec 14 2032 | 12 years fee payment window open |
Jun 14 2033 | 6 months grace period start (w surcharge) |
Dec 14 2033 | patent expiry (for year 12) |
Dec 14 2035 | 2 years to revive unintentionally abandoned end. (for year 12) |